first commit
This commit is contained in:
commit
e02f17166a
BIN
.Dockerfile.swp
Normal file
BIN
.Dockerfile.swp
Normal file
Binary file not shown.
21
.drone.yml
Normal file
21
.drone.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
pipeline:
|
||||||
|
build:
|
||||||
|
image: xataz/docker-drone-plugin
|
||||||
|
repo: xataz/reverse-nginx
|
||||||
|
action: build
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
|
||||||
|
push:
|
||||||
|
image: xataz/docker-drone-plugin
|
||||||
|
repo: xataz/reverse-nginx
|
||||||
|
action: push
|
||||||
|
environment:
|
||||||
|
- UID=1000
|
||||||
|
- GID=991
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- /home/xataz/.docker/config.json:/docker/.docker/config.json
|
||||||
|
when:
|
||||||
|
branch: master
|
||||||
|
event: [push, tag, deployment]
|
104
Dockerfile
Normal file
104
Dockerfile
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
FROM xataz/alpine:3.6
|
||||||
|
|
||||||
|
LABEL Description="reverse with nginx based on alpine" \
|
||||||
|
tags="latest mainline 1.13.5 1.13" \
|
||||||
|
maintainer="xataz <https://github.com/xataz>" \
|
||||||
|
build_ver="2017090601"
|
||||||
|
|
||||||
|
ARG NGINX_VER=1.13.5
|
||||||
|
ARG NGINX_GPG="B0F4253373F8F6F510D42178520A9993A1C052F8"
|
||||||
|
ARG TOR_GPG="2133BC600AB133E1D826D173FE43009C4607B1FB"
|
||||||
|
ARG BUILD_CORES
|
||||||
|
ARG NGINX_CONF="--prefix=/nginx \
|
||||||
|
--sbin-path=/usr/local/sbin/nginx \
|
||||||
|
--http-log-path=/nginx/log/nginx_access.log \
|
||||||
|
--error-log-path=/nginx/log/nginx_error.log \
|
||||||
|
--pid-path=/nginx/run/nginx.pid \
|
||||||
|
--lock-path=/nginx/run/nginx.lock \
|
||||||
|
--user=reverse --group=reverse \
|
||||||
|
--with-http_ssl_module \
|
||||||
|
--with-http_v2_module \
|
||||||
|
--with-http_gzip_static_module \
|
||||||
|
--with-http_stub_status_module \
|
||||||
|
--with-threads \
|
||||||
|
--with-pcre-jit \
|
||||||
|
--with-ipv6 \
|
||||||
|
--without-http_ssi_module \
|
||||||
|
--without-http_scgi_module \
|
||||||
|
--without-http_uwsgi_module \
|
||||||
|
--without-http_geo_module \
|
||||||
|
--without-http_autoindex_module \
|
||||||
|
--without-http_split_clients_module \
|
||||||
|
--without-http_memcached_module \
|
||||||
|
--without-http_empty_gif_module \
|
||||||
|
--add-module=/tmp/headers-more-nginx-module \
|
||||||
|
--without-http_browser_module"
|
||||||
|
ARG TOR_VER=0.3.1.7
|
||||||
|
|
||||||
|
ENV UID=991 \
|
||||||
|
GID=991 \
|
||||||
|
EMAIL=admin@mydomain.local
|
||||||
|
|
||||||
|
RUN export BUILD_DEPS="build-base \
|
||||||
|
libressl-dev \
|
||||||
|
pcre-dev \
|
||||||
|
zlib-dev \
|
||||||
|
libc-dev \
|
||||||
|
wget \
|
||||||
|
gnupg \
|
||||||
|
go \
|
||||||
|
libevent-dev \
|
||||||
|
git" \
|
||||||
|
&& NB_CORES=${BUILD_CORES-$(grep -c "processor" /proc/cpuinfo)} \
|
||||||
|
&& apk add -U ${BUILD_DEPS} \
|
||||||
|
s6 \
|
||||||
|
su-exec \
|
||||||
|
ca-certificates \
|
||||||
|
curl \
|
||||||
|
jq \
|
||||||
|
libressl \
|
||||||
|
pcre \
|
||||||
|
zlib \
|
||||||
|
libevent \
|
||||||
|
&& cd /tmp \
|
||||||
|
&& git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
|
||||||
|
&& wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz \
|
||||||
|
&& wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz.asc \
|
||||||
|
&& gpg --keyserver pgp.mit.edu --recv-keys "$NGINX_GPG" || \
|
||||||
|
gpg --keyserver keyserver.pgp.com --recv-keys "$NGINX_GPG" || \
|
||||||
|
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$NGINX_GPG" \
|
||||||
|
&& gpg --batch --verify nginx-${NGINX_VER}.tar.gz.asc nginx-${NGINX_VER}.tar.gz \
|
||||||
|
&& tar xzf nginx-${NGINX_VER}.tar.gz \
|
||||||
|
&& cd /tmp/nginx-${NGINX_VER} \
|
||||||
|
&& ./configure ${NGINX_CONF} \
|
||||||
|
&& make -j ${NB_CORES} \
|
||||||
|
&& make install \
|
||||||
|
&& mkdir -p /tmp/go/bin \
|
||||||
|
&& export GOPATH=/tmp/go \
|
||||||
|
&& export GOBIN=$GOPATH/bin \
|
||||||
|
&& git config --global http.https://gopkg.in.followRedirects true \
|
||||||
|
&& go get github.com/xenolf/lego \
|
||||||
|
&& mv /tmp/go/bin/lego /usr/local/bin/lego \
|
||||||
|
&& cd /tmp \
|
||||||
|
&& wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz \
|
||||||
|
&& wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz.asc \
|
||||||
|
&& gpg --keyserver pgp.mit.edu --recv-keys "$TOR_GPG" || \
|
||||||
|
gpg --keyserver keyserver.pgp.com --recv-keys "$TOR_GPG" || \
|
||||||
|
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$TOR_GPG" \
|
||||||
|
&& gpg --batch --verify tor-${TOR_VER}.tar.gz.asc tor-${TOR_VER}.tar.gz \
|
||||||
|
&& tar xzf tor-${TOR_VER}.tar.gz \
|
||||||
|
&& cd tor-${TOR_VER} \
|
||||||
|
&& ./configure \
|
||||||
|
&& make -j ${NB_CORES} \
|
||||||
|
&& make install \
|
||||||
|
&& mv /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc \
|
||||||
|
&& apk del ${BUILD_DEPS} \
|
||||||
|
&& rm -rf /tmp/* /var/cache/apk/*
|
||||||
|
|
||||||
|
COPY rootfs /
|
||||||
|
RUN chmod +x /usr/local/bin/startup /etc/s6.d/*/*
|
||||||
|
|
||||||
|
EXPOSE 80 443
|
||||||
|
|
||||||
|
ENTRYPOINT ["/usr/local/bin/startup"]
|
||||||
|
CMD ["/bin/s6-svscan", "/etc/s6.d"]
|
119
README.md
Normal file
119
README.md
Normal file
|
@ -0,0 +1,119 @@
|
||||||
|
![](http://nginx.org/nginx.png)
|
||||||
|
|
||||||
|
# BETA VERSION ACTUALY !!!!!
|
||||||
|
[![Build Status](https://drone.xataz.net/api/badges/xataz/docker-reverse-nginx/status.svg)](https://drone.xataz.net/xataz/docker-reverse-nginx)
|
||||||
|
[![](https://images.microbadger.com/badges/image/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own image badge on microbadger.com")
|
||||||
|
[![](https://images.microbadger.com/badges/version/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own version badge on microbadger.com")
|
||||||
|
|
||||||
|
> This image is build and push with [drone.io](https://github.com/drone/drone), a circle-ci like self-hosted.
|
||||||
|
> If you don't trust, you can build yourself.
|
||||||
|
|
||||||
|
## Tag available
|
||||||
|
* latest, mainline, 1.13.5, 1.13 [(Dockerfile)](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)
|
||||||
|
|
||||||
|
## Features
|
||||||
|
* No ROOT process
|
||||||
|
* Automatic configuration generation
|
||||||
|
* Automatic certificate generation and renew with letsencrypt and without downtime (use lego)
|
||||||
|
* Latest nginx version
|
||||||
|
* ARG for custom build
|
||||||
|
|
||||||
|
## Description
|
||||||
|
What is [Nginx](http://nginx.org)?
|
||||||
|
|
||||||
|
nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.
|
||||||
|
|
||||||
|
Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly.
|
||||||
|
|
||||||
|
## Build Image
|
||||||
|
### Build arguments
|
||||||
|
* NGINX_CONF : Nginx make configure options
|
||||||
|
* NGINX_VER : Nginx version
|
||||||
|
* ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8")
|
||||||
|
* ARG BUILD_CORES : Number of core use for make nginx (default : All cores)
|
||||||
|
|
||||||
|
### Simply build
|
||||||
|
```shell
|
||||||
|
docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx
|
||||||
|
```
|
||||||
|
### Build other version
|
||||||
|
```shell
|
||||||
|
docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
### Environments
|
||||||
|
* UID : Choose uid for launch nginx (default : 991)
|
||||||
|
* GID : Choose gid for launch nginx (default : 991)
|
||||||
|
|
||||||
|
### Volumes
|
||||||
|
* /nginx/ssl : For certificate persistance
|
||||||
|
* /nginx/custom_sites : For create your own sites
|
||||||
|
* /tor/ : For tor address
|
||||||
|
|
||||||
|
### Ports
|
||||||
|
* 8080
|
||||||
|
* 8443
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
### Environments
|
||||||
|
| Variable | Description | default | value |
|
||||||
|
| -------- | ----------- | ------- | ----- |
|
||||||
|
| UID | UID for launch nginx | 991 | Valid UID number |
|
||||||
|
| GID | GID for launch nginx | 991 | Valid GID number |
|
||||||
|
| EMAIL | email use for generate letsencrypt certificates | admin@mydomain.local | Valid address mail |
|
||||||
|
|
||||||
|
### Labels
|
||||||
|
| Label Name | Description | default | value |
|
||||||
|
| ---------- | ----------- | ------- | ----- |
|
||||||
|
| reverse.frontend.domain | Domain Name for this service | mydomain.local | valid domain name |
|
||||||
|
| reverse.frontend.path | Domain path (warning, no rewrite url) | / | valid path, with / |
|
||||||
|
| reverse.frontend.auth | For auth basic | none | user:encryptpassword |
|
||||||
|
| reverse.frontend.ssltype | Choose ssl type | ec384 | rsa2048, rsa4096, rsa8192, ec256 or ec384 |
|
||||||
|
| reverse.frontend.domain\_max\_body\_size | Choose max size upload | 200M | Numeric value with unit (K,M,G,T) |
|
||||||
|
| reverse.frontend.ssl | Generate letsencrypt certificate | false | true or false |
|
||||||
|
| reverse.frontend.tor | If container is an hidden service | false | boolean (true / false) |
|
||||||
|
| reverse.backend.port | Port use by container | 8080 | Valid port number |
|
||||||
|
|
||||||
|
|
||||||
|
More labels soon !!!
|
||||||
|
|
||||||
|
### Launch
|
||||||
|
#### First launch another container
|
||||||
|
For exemple, I launch lutim container :
|
||||||
|
```shell
|
||||||
|
$ docker run -d \
|
||||||
|
--name lutim \
|
||||||
|
--label reverse.frontend.domain=sub.domain.com \
|
||||||
|
--label reverse.frontend.path=lutim \
|
||||||
|
--label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \
|
||||||
|
--label reverse.frontend.ssltype=ec256 \
|
||||||
|
--label reverse.frontend.ssl = true \
|
||||||
|
--label reverse.backend.port=8181 \
|
||||||
|
-v /docker/config/lutim/data:/data \
|
||||||
|
-v /docker/data/lutim:/lutim/files \
|
||||||
|
-e UID=1001 \
|
||||||
|
-e GID=1001 \
|
||||||
|
-e WEBROOT=/lutim \
|
||||||
|
-e SECRET=$(date +%s | md5sum | head -c 32) \
|
||||||
|
-e CONTACT=contact@domain.com \
|
||||||
|
-e MAX_FILE_SIZE=250000000 \
|
||||||
|
xataz/lutim
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
#### Launch reverse-nginx
|
||||||
|
```shell
|
||||||
|
docker run -d \
|
||||||
|
-p 80:8080 \
|
||||||
|
-p 443:8443 \
|
||||||
|
--name reverse \
|
||||||
|
-e EMAIL=me@mydomain.com \
|
||||||
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||||
|
xataz/reverse-nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
URI Access : https://sub.domain.com/lutim
|
||||||
|
|
||||||
|
|
||||||
|
|
32
auto_upgrade.sh
Executable file
32
auto_upgrade.sh
Executable file
|
@ -0,0 +1,32 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
NGINX_MAINLINE_VERSION=$(grep "NGINX_VER=" Dockerfile | cut -d"=" -f2)
|
||||||
|
NEW_NGINX_MAINLINE_VERSION=$(curl http://nginx.org/en/download.html 2> /dev/null | sed 's|>|>\n|g' | grep '^<a href="/download/nginx-' | head -1 | sed 's|.*nginx-\(.*\).tar.gz.*|\1|')
|
||||||
|
|
||||||
|
f_gen_tag() {
|
||||||
|
VERSION=$1
|
||||||
|
|
||||||
|
TAGS="latest mainline ${VERSION} $(echo ${VERSION} | cut -d'.' -f '1 2')"
|
||||||
|
}
|
||||||
|
|
||||||
|
f_maj_dockerfile() {
|
||||||
|
BUILD_VER=$(date +%Y%m%d01)
|
||||||
|
|
||||||
|
## Edit dockerfile
|
||||||
|
sed -i 's/NGINX_VER=.*/NGINX_VER='$1'/;
|
||||||
|
s/tags=".*"/tags="'"${TAGS}"'"/;
|
||||||
|
s/build_ver=".*"/build_ver="'${BUILD_VER}'"/' Dockerfile
|
||||||
|
}
|
||||||
|
|
||||||
|
f_maj_readme() {
|
||||||
|
TAGS=$(echo $TAGS | sed 's/ /, /g')
|
||||||
|
|
||||||
|
sed -i 's#\* .*/Dockerfile)#\* '"${TAGS}"' \[(Dockerfile)\](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)#' README.md
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "${NGINX_MAINLINE_VERSION}" != "${NEW_NGINX_MAINLINE_VERSION}" ]; then
|
||||||
|
echo "Update nginx mainline to ${NEW_NGINX_MAINLINE_VERSION}"
|
||||||
|
f_gen_tag ${NEW_NGINX_MAINLINE_VERSION} "latest mainline"
|
||||||
|
f_maj_dockerfile ${NEW_NGINX_MAINLINE_VERSION}
|
||||||
|
f_maj_readme
|
||||||
|
fi
|
48
docker-compose.yml
Normal file
48
docker-compose.yml
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
version: '2'
|
||||||
|
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
driver: bridge
|
||||||
|
|
||||||
|
services:
|
||||||
|
lutim:
|
||||||
|
image: xataz/lutim
|
||||||
|
container_name: lutim
|
||||||
|
labels:
|
||||||
|
- reverse.frontend.domain=sub.docker.local
|
||||||
|
- reverse.frontend.path=lutim
|
||||||
|
- reverse.frontend.auth=USER:zkgudxk6qOT5g
|
||||||
|
- reverse.backend.port=8181
|
||||||
|
environment:
|
||||||
|
- UID=1001
|
||||||
|
- GID=1001
|
||||||
|
- WEBROOT=/lutim
|
||||||
|
- SECRET=908de85a9809724481c8a360c90879da
|
||||||
|
- CONTACT=contact@domain.com
|
||||||
|
- MAX_FILE_SIZE=250000000
|
||||||
|
|
||||||
|
lufi:
|
||||||
|
image: xataz/lufi
|
||||||
|
container_name: lufi
|
||||||
|
labels:
|
||||||
|
- reverse.frontend.domain=sub.docker.local
|
||||||
|
- reverse.frontend.path=lufi
|
||||||
|
- reverse.frontend.auth=USER:zkgudxk6qOT5g
|
||||||
|
- reverse.backend.port=8080
|
||||||
|
environment:
|
||||||
|
- UID=1001
|
||||||
|
- GID=1001
|
||||||
|
- WEBROOT=/lufi
|
||||||
|
|
||||||
|
reverse:
|
||||||
|
image: xataz/reverse-nginx
|
||||||
|
container_name: reverse
|
||||||
|
ports:
|
||||||
|
- "80:8080"
|
||||||
|
- "443:8443"
|
||||||
|
volumes:
|
||||||
|
- /docker/nginx/ssl:/nginx/ssl
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
depends_on:
|
||||||
|
- lufi
|
||||||
|
- lutim
|
3
rootfs/etc/s6.d/.s6-svscan/finish
Normal file
3
rootfs/etc/s6.d/.s6-svscan/finish
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
exit 0
|
7
rootfs/etc/s6.d/check_certs/run
Normal file
7
rootfs/etc/s6.d/check_certs/run
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
sleep 60
|
||||||
|
while true; do
|
||||||
|
/usr/local/bin/check_certs
|
||||||
|
sleep 86400
|
||||||
|
done
|
3
rootfs/etc/s6.d/nginx/run
Normal file
3
rootfs/etc/s6.d/nginx/run
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
exec nginx
|
3
rootfs/etc/s6.d/tor/run
Normal file
3
rootfs/etc/s6.d/tor/run
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
#exec tor -f /etc/tor/torrc
|
220
rootfs/etc/tor/torrc
Normal file
220
rootfs/etc/tor/torrc
Normal file
|
@ -0,0 +1,220 @@
|
||||||
|
## Configuration file for a typical Tor user
|
||||||
|
## Last updated 22 September 2015 for Tor 0.2.7.3-alpha.
|
||||||
|
## (may or may not work for much older or much newer versions of Tor.)
|
||||||
|
##
|
||||||
|
## Lines that begin with "## " try to explain what's going on. Lines
|
||||||
|
## that begin with just "#" are disabled commands: you can enable them
|
||||||
|
## by removing the "#" symbol.
|
||||||
|
##
|
||||||
|
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
|
||||||
|
## for more options you can use in this file.
|
||||||
|
##
|
||||||
|
## Tor will look for this file in various places based on your platform:
|
||||||
|
## https://www.torproject.org/docs/faq#torrc
|
||||||
|
|
||||||
|
## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
|
||||||
|
## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
|
||||||
|
## as a relay, and not make any local application connections yourself.
|
||||||
|
#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
|
||||||
|
#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
|
||||||
|
|
||||||
|
## Entry policies to allow/deny SOCKS requests based on IP address.
|
||||||
|
## First entry that matches wins. If no SOCKSPolicy is set, we accept
|
||||||
|
## all (and only) requests that reach a SOCKSPort. Untrusted users who
|
||||||
|
## can access your SOCKSPort may be able to learn about the connections
|
||||||
|
## you make.
|
||||||
|
#SOCKSPolicy accept 192.168.0.0/16
|
||||||
|
#SOCKSPolicy accept6 FC00::/7
|
||||||
|
#SOCKSPolicy reject *
|
||||||
|
|
||||||
|
## Logs go to stdout at level "notice" unless redirected by something
|
||||||
|
## else, like one of the below lines. You can have as many Log lines as
|
||||||
|
## you want.
|
||||||
|
##
|
||||||
|
## We advise using "notice" in most cases, since anything more verbose
|
||||||
|
## may provide sensitive information to an attacker who obtains the logs.
|
||||||
|
##
|
||||||
|
## Send all messages of level 'notice' or higher to /usr/local/var/log/tor/notices.log
|
||||||
|
#Log notice file /usr/local/var/log/tor/notices.log
|
||||||
|
## Send every possible message to /usr/local/var/log/tor/debug.log
|
||||||
|
#Log debug file /usr/local/var/log/tor/debug.log
|
||||||
|
## Use the system log instead of Tor's logfiles
|
||||||
|
#Log notice syslog
|
||||||
|
## To send all messages to stderr:
|
||||||
|
#Log debug stderr
|
||||||
|
|
||||||
|
## Uncomment this to start the process in the background... or use
|
||||||
|
## --runasdaemon 1 on the command line. This is ignored on Windows;
|
||||||
|
## see the FAQ entry if you want Tor to run as an NT service.
|
||||||
|
RunAsDaemon 1
|
||||||
|
|
||||||
|
## The directory for keeping all the keys/etc. By default, we store
|
||||||
|
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
|
||||||
|
#DataDirectory /usr/local/var/lib/tor
|
||||||
|
|
||||||
|
## The port on which Tor will listen for local connections from Tor
|
||||||
|
## controller applications, as documented in control-spec.txt.
|
||||||
|
#ControlPort 9051
|
||||||
|
## If you enable the controlport, be sure to enable one of these
|
||||||
|
## authentication methods, to prevent attackers from accessing it.
|
||||||
|
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
|
||||||
|
#CookieAuthentication 1
|
||||||
|
|
||||||
|
############### This section is just for location-hidden services ###
|
||||||
|
|
||||||
|
## Once you have configured a hidden service, you can look at the
|
||||||
|
## contents of the file ".../hidden_service/hostname" for the address
|
||||||
|
## to tell people.
|
||||||
|
##
|
||||||
|
## HiddenServicePort x y:z says to redirect requests on port x to the
|
||||||
|
## address y:z.
|
||||||
|
|
||||||
|
#HiddenServiceDir /usr/local/var/lib/tor/hidden_service/
|
||||||
|
#HiddenServicePort 80 127.0.0.1:80
|
||||||
|
|
||||||
|
#HiddenServiceDir /usr/local/var/lib/tor/other_hidden_service/
|
||||||
|
#HiddenServicePort 80 127.0.0.1:80
|
||||||
|
#HiddenServicePort 22 127.0.0.1:22
|
||||||
|
|
||||||
|
################ This section is just for relays #####################
|
||||||
|
#
|
||||||
|
## See https://www.torproject.org/docs/tor-doc-relay for details.
|
||||||
|
|
||||||
|
## Required: what port to advertise for incoming Tor connections.
|
||||||
|
#ORPort 9001
|
||||||
|
## If you want to listen on a port other than the one advertised in
|
||||||
|
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
|
||||||
|
## follows. You'll need to do ipchains or other port forwarding
|
||||||
|
## yourself to make this work.
|
||||||
|
#ORPort 443 NoListen
|
||||||
|
#ORPort 127.0.0.1:9090 NoAdvertise
|
||||||
|
|
||||||
|
## The IP address or full DNS name for incoming connections to your
|
||||||
|
## relay. Leave commented out and Tor will guess.
|
||||||
|
#Address noname.example.com
|
||||||
|
|
||||||
|
## If you have multiple network interfaces, you can specify one for
|
||||||
|
## outgoing traffic to use.
|
||||||
|
## OutboundBindAddressExit will be used for all exit traffic, while
|
||||||
|
## OutboundBindAddressOR will be used for all other connections.
|
||||||
|
## If you do not wish to differentiate, use OutboundBindAddress to
|
||||||
|
## specify the same address for both in a single line.
|
||||||
|
#OutboundBindAddressExit 10.0.0.4
|
||||||
|
#OutboundBindAddressOR 10.0.0.5
|
||||||
|
|
||||||
|
## A handle for your relay, so people don't have to refer to it by key.
|
||||||
|
## Nicknames must be between 1 and 19 characters inclusive, and must
|
||||||
|
## contain only the characters [a-zA-Z0-9].
|
||||||
|
#Nickname ididnteditheconfig
|
||||||
|
|
||||||
|
## Define these to limit how much relayed traffic you will allow. Your
|
||||||
|
## own traffic is still unthrottled. Note that RelayBandwidthRate must
|
||||||
|
## be at least 75 kilobytes per second.
|
||||||
|
## Note that units for these config options are bytes (per second), not
|
||||||
|
## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
|
||||||
|
## 2^20, etc.
|
||||||
|
#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
|
||||||
|
#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
|
||||||
|
|
||||||
|
## Use these to restrict the maximum traffic per day, week, or month.
|
||||||
|
## Note that this threshold applies separately to sent and received bytes,
|
||||||
|
## not to their sum: setting "40 GB" may allow up to 80 GB total before
|
||||||
|
## hibernating.
|
||||||
|
##
|
||||||
|
## Set a maximum of 40 gigabytes each way per period.
|
||||||
|
#AccountingMax 40 GBytes
|
||||||
|
## Each period starts daily at midnight (AccountingMax is per day)
|
||||||
|
#AccountingStart day 00:00
|
||||||
|
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
|
||||||
|
## is per month)
|
||||||
|
#AccountingStart month 3 15:00
|
||||||
|
|
||||||
|
## Administrative contact information for this relay or bridge. This line
|
||||||
|
## can be used to contact you if your relay or bridge is misconfigured or
|
||||||
|
## something else goes wrong. Note that we archive and publish all
|
||||||
|
## descriptors containing these lines and that Google indexes them, so
|
||||||
|
## spammers might also collect them. You may want to obscure the fact that
|
||||||
|
## it's an email address and/or generate a new address for this purpose.
|
||||||
|
#ContactInfo Random Person <nobody AT example dot com>
|
||||||
|
## You might also include your PGP or GPG fingerprint if you have one:
|
||||||
|
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
|
||||||
|
|
||||||
|
## Uncomment this to mirror directory information for others. Please do
|
||||||
|
## if you have enough bandwidth.
|
||||||
|
#DirPort 9030 # what port to advertise for directory connections
|
||||||
|
## If you want to listen on a port other than the one advertised in
|
||||||
|
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
|
||||||
|
## follows. below too. You'll need to do ipchains or other port
|
||||||
|
## forwarding yourself to make this work.
|
||||||
|
#DirPort 80 NoListen
|
||||||
|
#DirPort 127.0.0.1:9091 NoAdvertise
|
||||||
|
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
|
||||||
|
## can explain what Tor is if anybody wonders why your IP address is
|
||||||
|
## contacting them. See contrib/tor-exit-notice.html in Tor's source
|
||||||
|
## distribution for a sample.
|
||||||
|
#DirPortFrontPage /usr/local/etc/tor/tor-exit-notice.html
|
||||||
|
|
||||||
|
## Uncomment this if you run more than one Tor relay, and add the identity
|
||||||
|
## key fingerprint of each Tor relay you control, even if they're on
|
||||||
|
## different networks. You declare it here so Tor clients can avoid
|
||||||
|
## using more than one of your relays in a single circuit. See
|
||||||
|
## https://www.torproject.org/docs/faq#MultipleRelays
|
||||||
|
## However, you should never include a bridge's fingerprint here, as it would
|
||||||
|
## break its concealability and potentially reveal its IP/TCP address.
|
||||||
|
#MyFamily $keyid,$keyid,...
|
||||||
|
|
||||||
|
## A comma-separated list of exit policies. They're considered first
|
||||||
|
## to last, and the first match wins.
|
||||||
|
##
|
||||||
|
## If you want to allow the same ports on IPv4 and IPv6, write your rules
|
||||||
|
## using accept/reject *. If you want to allow different ports on IPv4 and
|
||||||
|
## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
|
||||||
|
## using accept/reject *4.
|
||||||
|
##
|
||||||
|
## If you want to _replace_ the default exit policy, end this with either a
|
||||||
|
## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
|
||||||
|
## the default exit policy. Leave commented to just use the default, which is
|
||||||
|
## described in the man page or at
|
||||||
|
## https://www.torproject.org/documentation.html
|
||||||
|
##
|
||||||
|
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
|
||||||
|
## for issues you might encounter if you use the default exit policy.
|
||||||
|
##
|
||||||
|
## If certain IPs and ports are blocked externally, e.g. by your firewall,
|
||||||
|
## you should update your exit policy to reflect this -- otherwise Tor
|
||||||
|
## users will be told that those destinations are down.
|
||||||
|
##
|
||||||
|
## For security, by default Tor rejects connections to private (local)
|
||||||
|
## networks, including to the configured primary public IPv4 and IPv6 addresses,
|
||||||
|
## and any public IPv4 and IPv6 addresses on any interface on the relay.
|
||||||
|
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
|
||||||
|
## "exit enclaving".
|
||||||
|
##
|
||||||
|
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
|
||||||
|
#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
|
||||||
|
#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
|
||||||
|
#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
|
||||||
|
#ExitPolicy reject *:* # no exits allowed
|
||||||
|
|
||||||
|
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
|
||||||
|
## main directory. Since there is no complete public list of them, even an
|
||||||
|
## ISP that filters connections to all the known Tor relays probably
|
||||||
|
## won't be able to block all the bridges. Also, websites won't treat you
|
||||||
|
## differently because they won't know you're running Tor. If you can
|
||||||
|
## be a real relay, please do; but if not, be a bridge!
|
||||||
|
#BridgeRelay 1
|
||||||
|
## By default, Tor will advertise your bridge to users through various
|
||||||
|
## mechanisms like https://bridges.torproject.org/. If you want to run
|
||||||
|
## a private bridge, for example because you'll give out your bridge
|
||||||
|
## address manually to your friends, uncomment this line:
|
||||||
|
#PublishServerDescriptor 0
|
||||||
|
|
||||||
|
## Configuration options can be imported from files or folders using the %include
|
||||||
|
## option with the value being a path. If the path is a file, the options from the
|
||||||
|
## file will be parsed as if they were written where the %include option is. If
|
||||||
|
## the path is a folder, all files on that folder will be parsed following lexical
|
||||||
|
## order. Files starting with a dot are ignored. Files on subfolders are ignored.
|
||||||
|
## The %include option can be used recursively.
|
||||||
|
#%include /etc/torrc.d/
|
||||||
|
#%include /etc/torrc.custom
|
||||||
|
|
2
rootfs/nginx/conf.d/headers.conf
Normal file
2
rootfs/nginx/conf.d/headers.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
9
rootfs/nginx/conf.d/proxy.conf
Normal file
9
rootfs/nginx/conf.d/proxy.conf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Remote-Port $remote_port;
|
||||||
|
proxy_redirect off;
|
11
rootfs/nginx/conf.d/ssl.conf
Normal file
11
rootfs/nginx/conf.d/ssl.conf
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
ssl_protocols TLSv1.2;
|
||||||
|
ssl_ecdh_curve secp384r1;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:20m;
|
||||||
|
ssl_session_timeout 15m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000";
|
52
rootfs/nginx/conf/nginx.conf
Normal file
52
rootfs/nginx/conf/nginx.conf
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
#user web;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /nginx/run/nginx.pid;
|
||||||
|
daemon off;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
use epoll;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /nginx/conf/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
access_log /nginx/log/nginx_access.log combined;
|
||||||
|
error_log /nginx/log/nginx_error.log error;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
keepalive_timeout 15;
|
||||||
|
keepalive_disable msie6;
|
||||||
|
keepalive_requests 100;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay off;
|
||||||
|
server_tokens off;
|
||||||
|
proxy_max_temp_file_size 20480m;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_comp_level 5;
|
||||||
|
gzip_min_length 512;
|
||||||
|
gzip_buffers 4 8k;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
gzip_types
|
||||||
|
text/css
|
||||||
|
text/javascript
|
||||||
|
text/xml
|
||||||
|
text/plain
|
||||||
|
text/x-component
|
||||||
|
application/javascript
|
||||||
|
application/x-javascript
|
||||||
|
application/json
|
||||||
|
application/xml
|
||||||
|
application/rss+xml
|
||||||
|
application/vnd.ms-fontobject
|
||||||
|
font/truetype
|
||||||
|
font/opentype
|
||||||
|
image/svg+xml;
|
||||||
|
|
||||||
|
include /nginx/sites-enabled/*.conf;
|
||||||
|
include /nginx/custom_sites/*.conf;
|
||||||
|
}
|
5
rootfs/nginx/path.d/template
Normal file
5
rootfs/nginx/path.d/template
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
location <frontend_path> {
|
||||||
|
include /nginx/conf.d/proxy.conf;
|
||||||
|
client_max_body_size <frontend_domain_max_body_size>;
|
||||||
|
proxy_pass http://<backend_addr>:<backend_port>;
|
||||||
|
}
|
7
rootfs/nginx/path.d/template_auth
Normal file
7
rootfs/nginx/path.d/template_auth
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
location <frontend_path> {
|
||||||
|
include /nginx/conf.d/proxy.conf;
|
||||||
|
auth_basic "Who's this?";
|
||||||
|
auth_basic_user_file "<auth_file>";
|
||||||
|
client_max_body_size <frontend_domain_max_body_size>;
|
||||||
|
proxy_pass http://<backend_addr>:<backend_port>;
|
||||||
|
}
|
6
rootfs/nginx/sites-enabled/template
Normal file
6
rootfs/nginx/sites-enabled/template
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name <frontend_domain>;
|
||||||
|
include /nginx/conf.d/headers.conf;
|
||||||
|
include /nginx/path.d/<frontend_domain>/*.conf;
|
||||||
|
}
|
27
rootfs/nginx/sites-enabled/template_ssl
Normal file
27
rootfs/nginx/sites-enabled/template_ssl
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name <frontend_domain> <onion_domain>;
|
||||||
|
|
||||||
|
rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
server {
|
||||||
|
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name <frontend_domain> <onion_domain>;
|
||||||
|
index index.html index.php index.htm;
|
||||||
|
|
||||||
|
ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
|
||||||
|
ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
|
||||||
|
ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
|
||||||
|
include /nginx/conf.d/ssl.conf;
|
||||||
|
include /nginx/conf.d/headers.conf;
|
||||||
|
|
||||||
|
include /nginx/path.d/<frontend_domain>/*.conf;
|
||||||
|
|
||||||
|
location ~ /\.well-known/acme-challenge {
|
||||||
|
root /nginx/www/<frontend_domain>;
|
||||||
|
allow all;
|
||||||
|
}
|
||||||
|
}
|
0
rootfs/nginx/www/letsencrypt
Normal file
0
rootfs/nginx/www/letsencrypt
Normal file
64
rootfs/usr/local/bin/check_certs
Normal file
64
rootfs/usr/local/bin/check_certs
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
CSI="\033["
|
||||||
|
CEND="${CSI}0m"
|
||||||
|
CRED="${CSI}1;31m"
|
||||||
|
CGREEN="${CSI}1;32m"
|
||||||
|
CYELLOW="${CSI}1;33m"
|
||||||
|
CBLUE="${CSI}1;34m"
|
||||||
|
|
||||||
|
## Functions
|
||||||
|
f_log() {
|
||||||
|
LOG_TYPE=$1
|
||||||
|
LOG_MESSAGE=$2
|
||||||
|
|
||||||
|
case "${LOG_TYPE}" in
|
||||||
|
"INF")
|
||||||
|
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
"WRN")
|
||||||
|
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
"ERR")
|
||||||
|
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
f_check_certs() {
|
||||||
|
LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g')
|
||||||
|
RELOAD_NGINX=0
|
||||||
|
|
||||||
|
for domain in ${LIST_DOMAINS}; do
|
||||||
|
CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem
|
||||||
|
KEYFILE=/nginx/ssl/certificates/${domain}.key
|
||||||
|
CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
|
||||||
|
FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
|
||||||
|
|
||||||
|
mkdir -p /nginx/www/${domain}
|
||||||
|
openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
|
||||||
|
if [ $? == 0 ]; then
|
||||||
|
f_log INF "Certificate for ${domain} is good for another 10 days!"
|
||||||
|
else
|
||||||
|
f_log INF "Generate New Certificate for ${domain}"
|
||||||
|
/usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew
|
||||||
|
if [ $? == 0 ]; then
|
||||||
|
if [ -e ${FULLCHAINFILE} ]; then
|
||||||
|
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
|
||||||
|
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
|
||||||
|
RELOAD_NGINX=1
|
||||||
|
f_log INF "New Certificate for ${domain} generated"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
f_log ERR "New Certificate for ${domain} not generated"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
f_check_certs
|
||||||
|
|
||||||
|
if [ ${RELOAD_NGINX} -eq 1 ]; then
|
||||||
|
nginx reload
|
||||||
|
fi
|
201
rootfs/usr/local/bin/startup
Normal file
201
rootfs/usr/local/bin/startup
Normal file
|
@ -0,0 +1,201 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
CSI="\033["
|
||||||
|
CEND="${CSI}0m"
|
||||||
|
CRED="${CSI}1;31m"
|
||||||
|
CGREEN="${CSI}1;32m"
|
||||||
|
CYELLOW="${CSI}1;33m"
|
||||||
|
CBLUE="${CSI}1;34m"
|
||||||
|
|
||||||
|
## Functions
|
||||||
|
f_log() {
|
||||||
|
LOG_TYPE=$1
|
||||||
|
LOG_MESSAGE=$2
|
||||||
|
|
||||||
|
case "${LOG_TYPE}" in
|
||||||
|
"INF")
|
||||||
|
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
"SUC")
|
||||||
|
echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
"WRN")
|
||||||
|
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
"ERR")
|
||||||
|
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
f_gen_sites_enabled() {
|
||||||
|
if [ "${FRONTEND_SSL}" == "true" ]; then
|
||||||
|
template_sites=/nginx/sites-enabled/template_ssl
|
||||||
|
else
|
||||||
|
template_sites=/nginx/sites-enabled/template
|
||||||
|
fi
|
||||||
|
if [ "${FRONTEND_TOR}" == "true" ]; then
|
||||||
|
if [ -d /tor/${FRONTEND_DOMAIN}/ ]; then
|
||||||
|
ONION_DOMAIN=$(cat /tor/${FRONTEND_DOMAIN}/hostname)
|
||||||
|
echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc
|
||||||
|
echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc
|
||||||
|
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
|
||||||
|
-e 's|<onion_domain>|'${ONION_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
|
||||||
|
else
|
||||||
|
echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc
|
||||||
|
echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc
|
||||||
|
echo "Please restard your container"
|
||||||
|
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
|
||||||
|
-e 's|<onion_domain>| |' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
f_gen_location() {
|
||||||
|
container_name=$1
|
||||||
|
if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then
|
||||||
|
mkdir -p /nginx/path.d/${FRONTEND_DOMAIN}
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${FRONTEND_PATH}" == "/" ]; then
|
||||||
|
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf
|
||||||
|
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth
|
||||||
|
else
|
||||||
|
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf
|
||||||
|
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth
|
||||||
|
fi
|
||||||
|
if [ ! -e ${path_file} ]; then
|
||||||
|
if [ "${FRONTEND_AUTH}" != "" ]; then
|
||||||
|
mkdir -p /nginx/auth/${FRONTEND_DOMAIN}
|
||||||
|
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
|
||||||
|
-e 's|<backend_addr>|'${container_name}'|' \
|
||||||
|
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
|
||||||
|
-e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
|
||||||
|
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' \
|
||||||
|
-e 's|<auth_file>|'${auth_file}'|' /nginx/path.d/template_auth > ${path_file}
|
||||||
|
echo "${FRONTEND_AUTH}" > ${auth_file}
|
||||||
|
else
|
||||||
|
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
|
||||||
|
-e 's|<backend_addr>|'${container_name}'|' \
|
||||||
|
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
|
||||||
|
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
f_gen_certs() {
|
||||||
|
container_name=$1
|
||||||
|
if [ "${FRONTEND_SSL}" == "true" ]; then
|
||||||
|
CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem
|
||||||
|
KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key
|
||||||
|
CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem
|
||||||
|
FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
|
||||||
|
if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then
|
||||||
|
mkdir -p /nginx/www/${FRONTEND_DOMAIN}
|
||||||
|
/usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run
|
||||||
|
if [ $? == 0 ]; then
|
||||||
|
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
|
||||||
|
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
|
||||||
|
chown -R ${UID}:${GID} /nginx/ssl/
|
||||||
|
fi
|
||||||
|
[[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
f_make_conf() {
|
||||||
|
|
||||||
|
FRONTEND_DOMAIN=mydomain.local
|
||||||
|
FRONTEND_MAX_BODY_SIZE=200M
|
||||||
|
FRONTEND_SSLTYPE=ec384
|
||||||
|
BACKEND_PORT=8080
|
||||||
|
FRONTEND_PATH="/"
|
||||||
|
FRONTEND_SSL=false
|
||||||
|
FRONTEND_AUTH=""
|
||||||
|
FRONTEND_TOR=false
|
||||||
|
container_name=$1
|
||||||
|
IFS=$'\n'
|
||||||
|
if [ "${CONTAINER_LABELS}" != "" ]; then
|
||||||
|
for label in ${CONTAINER_LABELS}; do
|
||||||
|
case "$(echo ${label} | awk '{print $1}')" in
|
||||||
|
"reverse.frontend.domain")
|
||||||
|
FRONTEND_DOMAIN=""
|
||||||
|
FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.path")
|
||||||
|
FRONTEND_PATH="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.auth")
|
||||||
|
FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.ssltype")
|
||||||
|
FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.domain_max_body_size")
|
||||||
|
FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.ssl")
|
||||||
|
FRONTEND_SSL="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.frontend.tor")
|
||||||
|
FRONTEND_TOR="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
"reverse.backend.port")
|
||||||
|
BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}"
|
||||||
|
f_gen_location ${container_name}
|
||||||
|
f_gen_sites_enabled
|
||||||
|
f_gen_certs ${container_name}
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Check /var/run/docker.sock
|
||||||
|
f_log INF "Check if /var/run/docker.sock exist ..."
|
||||||
|
ls /var/run/docker.sock > /dev/null 2>&1
|
||||||
|
if [ $? == 0 ]; then
|
||||||
|
f_log INF "/var/run/docker.sock exist ..."
|
||||||
|
else
|
||||||
|
f_log ERR "/var/run/docker.sock don't exist ..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
f_log INF "Start reverse configuration ..."
|
||||||
|
|
||||||
|
# Prepare container
|
||||||
|
f_log INF "Create user 'reverse'"
|
||||||
|
addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse
|
||||||
|
f_log INF "Create folder"
|
||||||
|
mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam
|
||||||
|
mkdir -p /home/reverse/.tor
|
||||||
|
# Generate file
|
||||||
|
for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do
|
||||||
|
CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|')
|
||||||
|
f_make_conf ${container}
|
||||||
|
done
|
||||||
|
|
||||||
|
f_log INF "Apply permissions"
|
||||||
|
chown -R reverse:reverse /nginx /etc/s6.d /tor/ /home/reverse/.tor
|
||||||
|
chmod +x /usr/local/bin/check_certs
|
||||||
|
find /etc/s6.d -name run -exec chmod +x {} \;
|
||||||
|
find /etc/s6.d -name finish -exec chmod +x {} \;
|
||||||
|
|
||||||
|
f_log SUC "End reverse configuration"
|
||||||
|
|
||||||
|
|
||||||
|
## run s6
|
||||||
|
if [ $# -gt 0 ]; then
|
||||||
|
exec su-exec reverse:reverse "$@"
|
||||||
|
else
|
||||||
|
exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d
|
||||||
|
fi
|
||||||
|
|
Reference in a new issue